Hi,

I'll try to keep it short:
Network:
Modem - MT RB3011 - Ubiquiti UDM - LAN

• I can ping IPv6 hosts on the internet from MT
• I can't ping IPv6 on the internet from my client within the UDM-LAN

So I searched the forum and it seems to be a common IPv6-noob-issue, but I don't understand, what I have do add or change.

feb/21/2022 13:40:28 by RouterOS 6.49.3

software id = PD93-KWF3

model = RB3011UiAS

serial number = E7E60F55AF25

/ipv6 dhcp-server
add address-pool=IPv6Pool-nfc dhcp-option="" disabled=no interface=bridge lease-time=3d name=DHCPv6 preference=255 rapid-commit=yes route-distance=1 use-radius=no
/ipv6 pool
add name=IPv6Pool-nfc prefix=2001:db8:7501::/60 prefix-length=62
/ipv6 dhcp-client
add add-default-route=yes default-route-distance=1 dhcp-options="" disabled=no interface=pppoe-out1 pool-name=WANIPv6 pool-prefix-length=64 prefix-hint=::/0
request=prefix use-peer-dns=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" disabled=no dynamic=no list=bad_ipv6
add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no dynamic=no list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=bad_ipv6
add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" disabled=no dynamic=no list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" disabled=no dynamic=no list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=bridge managed-address-configuration=yes mtu=
unspecified other-configuration=no ra-delay=3s ra-interval=20s-1m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes forward=yes max-neighbor-entries=8192


What do I have do change / add?

Thank you,
Markus

I don’t see IPv6 address being assigned to interface connecting to Ubiquiti …

Oh, ok. I thought this is done by this:

/ipv6 dhcp-server
add address-pool=IPv6Pool-nfc dhcp-option=“” disabled=no interface=bridge lease-time=3d name=DHCPv6 preference=255 rapid-commit=yes route-distance=1 use-radius=no
/ipv6 pool
add name=IPv6Pool-nfc prefix=2001:db8:7501::/60 prefix-length=62

with the Ubiquiti being connected to “bridge”.

How should this look like instead?

Do you have another DHCPv6 server for clients? The one in RouterOS only provides prefixes, not addresses.

This is i.e. ip addr of a server behind the Ubiquiti:

5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a2:4c:88:38:94:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.119.4/24 brd 192.168.119.255 scope global bond0
valid_lft forever preferred_lft forever
inet6 2001:db8:7501:0:a04c:88ff:fe38:94c8/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86173sec preferred_lft 86173sec
inet6 2001:db8:7501::13e/128 scope global dynamic noprefixroute
valid_lft 73948sec preferred_lft 73948sec
inet6 fd3e:ead1:1b15:48ad:a04c:88ff:fe38:94c8/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 1573sec preferred_lft 296sec
inet6 fe80::a04c:88ff:fe38:94c8/64 scope link
valid_lft forever preferred_lft forever

From what I see the IPv6 is being delegated to my subnet, right?
If I try to ping i.e. 2620:119:35::35 from my subnet, nothing happens:

ping6 2620:119:35::35

PING6(56=40+8+8 bytes) 2001:db8:7501:0:6d66:3d41:41b2:463d --> 2620:119:35::35
(nothing else)

Or maybe I do not get your question.

Best,
Markus

When connecting the Ubiquiti UDM to the MT RB3011, I only provide the info to the UDM, that it will get a delegation from the MT (pls find attached a screenshot of the UDM GUI), nothing else. So I guess my subnet clients are getting their IPv6 addresses “automatically”. I’m not quite sure, if this is part of IPv6 functionality or if it is handled by a DHCPv6.

I've worked on it without sucess ...
Here is the current IPv6 export

feb/21/2022 20:37:22 by RouterOS 6.49.3

software id = PD93-KWF3

model = RB3011UiAS

serial number = E7E60F55AF25

/ipv6 dhcp-server
add address-pool=IPv6Pool-nfc interface=bridge name=DHCPv6
/ipv6 pool
add name=IPv6Pool-nfc prefix=2001:db8:7501::/60 prefix-length=62
/ipv6 address
add from-pool=WANIPv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=WANIPv6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] interface=bridge
/ipv6 settings
set accept-router-advertisements=yes

SOLVED

I’ve removed the 2nd Pool and only worked the one and only provided from my ISP.